I am using Https and Tcp over SSL in java application with keystores and truststores. I use selfsigned certificates generated by java keytool. I am came to know about HeartBleed vulnerability with openSSL, do I need to change any implementation from java side or I am on safe side. can anyone please give details.
Java does not use OpenSSL, although some Java applications like Tomcat can. As you're using keystores and truststores, you must be using JSSE rather than OpenSSL.
Related
Is it possible to configure Lagom to work with SSL/TLS connections?
I generated keystore and trustore files using Java KeyTool,
I tried to configure play framework in the application.conf file to work with the generated files with no success.
Thanks for the help.
Since 1.5.x Lagom version, the use of SSL has been supported:
https://www.lagomframework.com/documentation/1.6.x/java/ConfiguringServicesInDevelopment.html#Using-HTTPS-in-development-mode
I have a web service that is currently being used by a variety of old .Net and Java clients using TLS1.0/SSl3 protocols using a SHA1 certificate.
If I were to change the certificate to be SHA2 would these clients still work ?
I am changing no other configurations on the server (i.e. not disabling TLS1 /SS3).
I will overtime when I can get the clients to upgrade to use TLS1.2.
.NET supports SHA2 since 1.1 (see What's the state of support for SHA-2 in various platforms?)
Java supports SHA2 since 1.4.2. (see https://www.entrust.com/should-you-use-sha-2/)
If you have access to these clients, and if they can connect to a different URL that uses a SHA2 certificate, you should be good. Give the users/ maintainers of these clients a date when you will be migrating your service to use a SHA2 certificate so that they can test it themselves.
I have a security requirement checklist that requires the following:
SSL must be configured to support only SSL version 3 or TLS version
How can I tell what version my SSL supports? I'm using openssl.
If you are developing software using OpenSSL the choice of what particular instance of the protocol (SSL2, SSL3, TLS1) is permitted is established by the context that you make for creating SSL objects. Here is the minimal example of setting up a context that supports only TLS1:
new_ctx = SSL_CTX_new (TLSv1_server_method ());
If you want to support SSL3 and above, you'd use:
new_ctx = SSL_CTX_new (SSLv23_method ());
SSL_CTX_set_options (new_ctx, SSL_OP_NO_SSLv2);
This only scratches the surface, but maybe will point you in the right direction.
I'd like to use an alternative SSL library like GnuTLS on JBOSS for secure connection. Am I right that GnuTLS can't be used on JBOSS since it's written in C? Apart from that, does JBOSS only support OpenSSL and JSSE (keytool) libraries?
The reason I'm considering the move is for security reasons. Will this make any real change since all SSL libraries use the same algorithms like RSA?
So, if I keep using OpenSSL or keytool, will the application stay equally secure?
I am looking for sample code or documentation on how to use client side certificates with SSL under MacOSX.
The server I want to connect to, does speak a custom ascii protocol but allows only ssl connections with registered client certificates. I already wrote a client in Java that works.
In Java I initialized a SSLContext with a KeyManager-Array and a TrustManager-Array. How would I do that with Objective-C on MacOSX?
I found this http://code.google.com/p/cocoaasyncsocket/ which got me as far as connecting and receiving from a server that does not require a client certificate. Would it be feasible to extend that code to use client side certificates?
You probably want CFStream
http://developer.apple.com/mac/library/documentation/Networking/Conceptual/CFNetwork/Concepts/Concepts.html#//apple_ref/doc/uid/TP30001132-CH4-SW4